Changes

Jump to: navigation, search

Identity/AttachedServices/KeyServerProtocol

103 bytes added, 03:06, 12 July 2013
Signing Certificates
[[File:PICL-IdPAuth-signCertificateuse-session.png|Deriving Keys to Sign Using the CertificatesessionToken, signing certificates]]
The requestHMACkey is used in a HAWK (https://github.com/hueniverse/hawk/) request to provide integrity over the "signCertificate" request. It is used as credentials.key, while tokenID is used as credentials.id . HAWK includes the URL and the HTTP method ("POST") in the HMAC-protected data, and will optionally include the HTTP request body (payload) if requested.
For signCertificate(), it is critical to enable payload verification by setting options.payload=true (on both client and server). Otherwise a man-in-the-middle could submit their own public key, get it signed, and then delete the user's data on the storage servers.
[[File:PICL-IdPAuth-signRequestencrypt-passwordChange.png|Signing the signCertificate RequestServer encrypts passwordChange response]][[File:PICL-IdPAuth-encrypt-resetAccount.png|Client encrypts resetAccount request]] 
HAWK provides one thing: integrity/authentication for the request contents (URL, method, and optionally the body). It does not provide confidentiality of the request, or integrity of the response, or confidentiality of the response.
Confirm
471
edits

Navigation menu